A large-scale cyberattack has put millions of people in the United States at risk. Cybersecurity experts have found a network of hackers who may have stolen data from up to 115 million payment cards.

Hackers use fake messages and smart tools to steal payment data

These hackers are using smart and hard-to-detect tricks to steal personal and financial information. Most shockingly, they’re not just stealing credit or debit card details — they are taking advantage of new-age digital wallets like Apple Pay and Google Wallet.

These hackers are using a trick called “smishing”, where they send fake text messages that look like they’re from trusted services like mail delivery companies or toll payment centers. These messages contain dangerous links that take people to fake websites. Once a person enters their details, the hackers collect everything — names, card numbers, one-time passwords (OTPs), and even login credentials.

What makes this attack different is how these criminals use the stolen data. Instead of just trying to use the card numbers online, they go a step further. They add the stolen cards to digital wallets on their own devices. These wallets allow them to make purchases without even needing the actual card. Because the payments go through trusted systems, they don’t raise red flags.

These cybercriminals are using tools that are much more advanced than in the past. Their phishing kits can block certain IP addresses, avoid detection by cybersecurity tools, and target only mobile users. They’ve even added maps and mobile-friendly designs to their fake websites, making them look real.

Fake shopping websites and real-time tracking make it harder to stop

The hackers have created an entire business around these scams. They have built fake online shops that look like real ones. These fake shops are designed using platforms like WordPress and WooCommerce. People who visit these sites believe they are making real purchases. But instead, they are handing over their card information to criminals.

Some of these fake stores also pretend to accept payments through services like PayPal, which helps the attackers take over PayPal accounts too. The stolen data is often collected using advanced tools that track what people type in real time.

🌐 Teen Hacker’s $37M Crypto Crime Spree Exposed: Inside the SIM Swap That Shook the Blockchain

By the middle of 2024, one major cybercrime platform had expanded its tools to work in more than 80 countries and mimic hundreds of real-world brands. It even allowed multiple criminals to work together by giving them different roles and access levels. This platform made it easy for others to carry out scams by just paying for the service — something known as “phishing-as-a-service”.

Old phones and global scams help hackers cash out silently

Once hackers add the stolen cards to their own devices, they wait for a few days before making transactions. This 2-10 day delay helps avoid detection. After that, they start spending fast, often using the cards at physical stores with contactless payments or selling phones that already have loaded cards.

They tend to use older model phones, especially iPhones, because they have weaker security systems. On each phone, hackers can add multiple stolen cards, especially from victims in the U.S. and the U.K. These phones are sometimes shipped overseas, where other scammers use them to spend the money.

The hackers also set up fake merchant accounts on platforms like Stripe or Flutterwave. These accounts allow them to process payments from the stolen cards and withdraw the money as if it came from real business transactions.

To stay ahead of being caught, hackers constantly change the brands they imitate and switch their websites. Some even use tools similar to what software developers use — like Git version control — to keep their scam websites fresh and harder to track.

Between July 2023 and October 2024, over 32,000 fake websites themed around the U.S. postal service were found. Each site may have stolen between 387 to 3,485 payment cards. When added up, the number of affected people may be as high as 115 million.